Direct Inward Dialing: +1 408 916 9892
Once ADAudit Plus is installed, it automatically configures the audit policies required for Active Directory auditing.
To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.
Permission changes in Windows registry can be identified by following the steps below:
Login to ADAudit Plus.
Select the required Domain from the dropdown list.
Go to the Reports tab.
Navigate to GPO Setting Changes.
Select Windows Settings Changes.
ADAudit Plus enables IT administrators to have a comprehensive picture of all the activities that happen within their organization's network. The real-time monitoring capabilities and out-of-the-box reports offered by ADAudit Plus make it easier to track critical changes in Windows registry permissions, and detect and prevent mishaps.
With native AD auditing, here is how you can monitor Windows registry permission changes:
Launch Server Manager in your Windows Server instance.
Under Manage, select Group Policy Management and launch the Group Policy Management console.
Navigate to Forest ➔ Domain ➔ Your domain ➔ Domain Controllers.
Create a new GPO and link it to the domain containing the registry to be monitored, or edit any existing GPO that is linked to the domain to open the Group Policy Management Editor.
Navigate to Computer Configuration ➔ Windows Settings ➔ Security Settings ➔ Local Policies ➔ Audit Policy.
The Audit Policy lists all of its sub-policies in the right panel, as shown in the figure below.
Under Audit Policy, turn auditing on for Success and failure events of Audit Object Access policy.
Click Apply and OK to close Properties window.
To enforce these changes throughout the domain, run the command gpupdate /force, in the Run console.
Click Start, Run and type Regedit and press Enter.
In the Registry Editor navigate to the key you want to audit.
Right-click the key and select Permissions.
Click Advanced on the Permissions for dialog box and click Add.
Apply the following settings
Principal: Everyone
Type: All
Applies to: This key and subkeys
Permissions: Select Full Control check box.
Click Apply, then OK, and close the console.
In Event Viewer window, go to Windows Logs ➔ Security logs.
Click on Filter current log under Action in the right panel.
Search for Event ID 4670, this identifies Windows registry permission changes.
You can double-click on the event to view Event Properties.
These steps need to be repeated for all the registry keys to audit changes in registry permissions. Manually checking every event is time-consuming, inefficient, and practically impossible.
Native auditing becoming a little too much?
Simplify Windows registry permission changes auditing and reporting with ADAudit Plus.
Get Your Free Trial Fully functional 30-day trialADAudit Plus simplifies monitoring of changes in Windows registry permissions by offering predefined Windows Settings Changes reports which are easily comprehendible. ADAudit Plus also provides the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV).
